Main Vulnerability Database Vulnerabilities #VU59579

#VU59579 OS Command Injection in ansible-runner - CVE-2021-4041

Published: January 13, 2022

Vulnerability identifier: #VU59579

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-4041

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
ansible-runner

Software vendor:
Ansible

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in the ansible_runner.interface.run_command. A local user can pass specially crafted parameters to the command that get executed on the host operating system instead of the guest OS.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=2028074
https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd